esc_sql

Prepares a string for use as an SQL query. This function is a glorified addslashes() that works with arrays.

In 99% of cases, you can use $wpdb->prepare() instead, and that is the recommended method. This function is only for use in those rare cases where you can’t easily use $wpdb->prepare(). One example is preparing an array for use in an IN clause.

Note: Be careful to use this function correctly. It will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = ‘{$escaped_value}’). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.

Have Feedback?

Let us know how we can improve this tool.
Share Feedback

qSandbox.com

qSandbox.com

esc_sql

Input:

Have Feedback?

qSandbox.com

Tools > WordPress Functions > Supported Functions > esc_sql

esc_sql

Input:

Have Feedback?